The University of Michigan recently responded to a cybersecurity incident involving Instructure, the vendor that provides the Canvas learning management system.
Instructure, the company that provides Canvas, experienced a cybersecurity incident involving unauthorized activity in the Canvas platform. Canvas is used by approximately 9,000 schools and educational institutions, and this vendor-level incident affected many Canvas customers, including the University of Michigan. According to Instructure, the company detected unauthorized activity on April 29, 2026, took steps to revoke access, and began an investigation with outside forensic experts. Instructure later identified additional unauthorized activity on May 7 that was tied to the same incident.
At U-M, ITS temporarily restricted access to Canvas after the May 7 activity created an immediate security concern about the condition of the service. This allowed ITS teams to investigate, coordinate with Instructure, and take steps to protect university systems and data before restoring access.
On April 29, 2026, Instructure detected unauthorized activity in Canvas. Instructure has stated that it revoked unauthorized access, began an investigation, engaged outside forensic experts, and took additional protective steps. The data involved in that phase may have included some personal information from users at affected organizations, such as names, email addresses, student ID numbers, course names, enrollment information, and direct messages among Canvas users. Instructure has stated that it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
On May 1, 2026, Instructure issued a basic notification on their website that they had experienced a "cybersecurity incident", but without details of the nature of the incident.
On May 5th 2026, ITS posted a status page indicating that we were aware of the issue and awaiting additional information from Instructure to determine next steps.
On May 6, 2026, Instructure notified impacted organizations, including U-M. The university later posted a Safe Computing notice stating that Instructure had informed ITS that the University of Michigan was among the organizations whose data was involved in the vendor-related incident.
On May 7, 2026, Instructure identified additional unauthorized activity tied to the same incident. Instructure has stated that this activity involved changes to pages that appeared for some users while they were logged in through Canvas. U-M ITS called a major incident, posted service updates, and temporarily restricted Canvas access across all three campuses out of an abundance of caution.
On May 8, 2026, Canvas access was restored across all U-M campuses after additional validation and restoration work. ITS continued to monitor the service, and some integrations or connected services were expected to continue stabilizing as restoration activities were completed.
The April 29 incident involved unauthorized access to some Canvas data, but Canvas continued to operate while Instructure investigated and applied safeguards. When U-M was notified on May 5th, Instructure believed the situation was contained and institutions could continue to use Canvas as normal. The situation changed on May 7, when Instructure identified additional unauthorized activity tied to the same incident. That activity affected pages some users saw while logged in through Canvas, which created an immediate security concern about the condition of the service.
U-M restricted access to Canvas out of an abundance of caution while ITS investigated, worked with Instructure, and validated that the service could be safely restored.
No. This was a vendor-related incident involving Instructure and Canvas. It was not specific to the University of Michigan and affected thousands of other institutions that use Canvas. U-M’s response focused on protecting the university community, validating the condition of the service, and providing timely guidance as information became available.
Yes. Canvas access has been restored across all University of Michigan campuses. Users should be able to log in and resume normal activity. Some integrations or connected services may continue stabilizing as restoration activities are completed.
Based on information provided by Instructure to date, the data involved appears to include information stored in Canvas, including names, email addresses, student ID numbers, course names, enrollment information and direct messages among Canvas users. Instructure has stated that it has found no indication that Core learning data (course content, submissions, credentials), passwords, dates of birth, government identifiers, or financial information were involved. U-M continues to work with Instructure to understand any U-M specific impact.
Yes. Instructure has shared that it reached an agreement with the unauthorized actor involved in the incident. According to Instructure, the data was returned, the company received assurances that it will not be further shared on the dark web or elsewhere, and Instructure received proof that copies of the data were deleted. Instructure also stated that it has been informed no Instructure customers will be extorted as a result of this incident.
Instructure has shared several encouraging updates, including that the data was returned, that it received assurances the data will not be further shared, and that it received proof that copies were deleted. At the same time, Instructure noted that there is never complete certainty when dealing with cyber criminals. U-M will continue to treat this seriously, monitor for related concerns, and work with Instructure as the investigation continues.
No. Instructure has stated that the agreement it reached applies to all customers and that there is no need for individual customers to attempt to engage with the unauthorized actor. If you receive a suspicious or threatening message, do not respond, do not send money, and do not click links or open attachments. Report suspicious messages to [email protected].
No. Instructure has stated that it continues to respond to the incident and will provide meaningful updates as its work progresses. U-M will continue to work with Instructure to understand any U-M-specific impact and will share additional information with the university community as it becomes available.
We understand that Instructure’s investigation is ongoing, and we will share information when it is available regarding what U-M data was impacted as part of Instructure’s security incident.
Most users can return to Canvas and resume normal activity.
Because the data involved in the incident included information entered into Canvas, please remain alert for suspicious emails, login prompts, text messages, or other communications that reference Canvas, Instructure, or university systems. Be wary of messages that mention communications you may have had on Canvas. Do not click suspicious links, open unexpected attachments, or share passwords or authentication codes. The FBI issued a public statement related to the event as well. Instructure has stated that it has been informed no Instructure customers will be extorted as a result of this incident. Even so, if you receive a threatening message, a demand for money, or a message claiming that your information has been stolen, do not respond. Report suspicious messages to [email protected].
If you receive a message that seems unusual or suspicious, report it to [email protected].
Some users may have encountered an unfamiliar Canvas login page during the incident. The page may have looked different from the standard U-M single sign-on experience and may have appeared more like a native Canvas login screen.
If you entered your U-M username and password into an unfamiliar Canvas login page during the incident, ITS strongly recommends that you change your UMICH password immediately.
You should change your UMICH password immediately if you entered your username and password into an unfamiliar Canvas login page during the incident. If you use the same password on other sites, you should change it there as well.
Even if you did not enter your credentials, please remain alert for phishing attempts, unexpected login prompts, or unusual account activity.
Instructure has stated that it has found no evidence that passwords were involved. However, if you entered your U-M username and password into an unfamiliar Canvas login page, ITS strongly recommends changing your UMICH password as a precaution.
Based on the information currently available, this incident involved the Canvas platform operated by Instructure. ITS continues to monitor university systems, coordinate with Instructure, and work with appropriate university partners as additional review activities continue.
Some integrations or connected services may have needed additional time to stabilize after Canvas access was restored. Users may be asked to reauthorize or reconnect certain tools, depending on how the tool interacts with Canvas. ITS will continue to monitor connected services and provide additional guidance if action is needed.
Instructure has informed U-M that, based on its investigation with a security advisory firm, neither UM-Dearborn’s Academic Canvas nor UM-Dearborn’s Professional Development Canvas were impacted by the security incident. U-M has not yet received the same level of campus-specific information from Instructure for the Ann Arbor and Flint campuses. Because campuses may have been impacted differently, additional communications will be shared with those communities as more information becomes available.
U-M used several channels to keep the community informed, including campuswide emails, the ITS Service Status page, social media, Wolverine Access messaging, direct outreach to unit IT leaders and campus communicators, and updates through ITS communications channels. ITS also asked units to direct audiences to official ITS updates so the community would receive consistent and accurate information.
Instructors should use their best judgment and work with their departments, schools, or colleges as needed to address any course-specific impacts. Students with questions about assignments, deadlines, exams, or course materials should contact their instructors directly.
ITS temporarily restricted Canvas access, investigated the issue, worked with Instructure, coordinated with university partners, and restored access after additional validation. ITS continues to monitor systems and review the situation as more information becomes available.
Instructure has stated that it revoked privileged credentials and access tokens tied to affected systems, deployed additional platform protections, rotated internal keys, restricted token creation pathways, added monitoring across its platforms, engaged outside forensic experts, and notified law enforcement.
U-M will continue to work with Instructure to understand what information relating to U-M was impacted.
Yes. Instructure CEO Steve Daly posted an apology acknowledging the disruption the incident caused for customers, including stress on teams, missed moments in the classroom, and unanswered questions. Instructure also acknowledged that its communication during the incident was not as consistent as customers needed and stated that it will change its approach moving forward.
Instructure has stated that Canvas is fully operational and remains safe to use. Instructure also stated that core learning data, including course content, submissions, and credentials, was not compromised. The company said it will provide guidance if any additional action is required. At this time, Instructure is not recommending broad new customer-side remediation solely based on the May 7 activity unless it communicates directly that specific action is required.
For U-M-specific information, visit the ITS Service Status page or contact the ITS Service Center. For information from Instructure, visit Instructure’s incident update page or Instructure’s status page. Instructure has stated that its incident update page will serve as its central source for confirmed updates about this incident.
Please contact the ITS Service Center if you have questions, believe your account may have been impacted, or experience issues accessing Canvas.
ITS Service Center
https://its.umich.edu/help
Chat: chatsupport.it.umich.edu
Phone: 734-764-HELP (764-4357)